Non backwards compatibility of OAuth Authorization Code token for Chatbot API

API Endpoint(s) and/or Zoom API Event(s)
Chatbot Send Message API
Get User’s Profile

Our app generated an OAuth’s Authorization Code flow token which served us well for all of Zoom’s APIs, including sending a chatbot message, getting user’s profile, listing channels, etc.

In the past all of this used to work with that single generated bearer token, including send a chatbot message.
After quite some time we’ve noticed we can no longer send chatbot messages using said token (getting the “Invalid Authorization Token”, while it works fine with other API endpoints), and in the new documentation we found that it states that we need a different token now, generated using the OAuth Client Credentials, but using the same exact credentials.

A common use case of ours was to send a message to a user via the user’s email, so we would get the user’s JID using the Get User’s Profile API, and then sending the user a chatbot message. It all worked fine. Now, on the other hand, we have to generate both tokens, because we can not use the Get User’s Profile API with the Client Credentials token, and we can not use the Send Chatbot Message API with the Authorization Code token.

Note that the Authorization Code token is a superset of the Client Credentials.

Since we are supporting both our own Zoom app and our clients’ Zoom apps to which they can integrate with on the fly, we’ll have to change quite a lot in our system to support this change.

We wanted to know:

  1. Why was this change made? Because Chatbot API definitely supported the Authorization Code token in the past.
  2. Is there a workaround? Perhaps a different API we can use with the Authorization Code token to send chatbot messages? Or a way to access the other APIs with the Client Credentials token?


{"code": 7010,"message":"Invalid authorization token.","result":false}

How To Reproduce
Steps to reproduce the behavior:

curl -XPOST \
  -H "Authorization: Bearer <OAuth Authorization Code token>" \
  -H "Content-Type: application/json" \
  -d '{"account_id":"<account_id>","content":{"head":{"text":"test123"}},"robot_jid":"<bot JID>","to_jid":"<user JID>","user_jid":"<user JID>"}'

Hi @igor.torq ,

These credentials are from an OAuth app or Chat app?

If you’re using OAuth app credentials, there may have been a misstep. Please use the Chat app credentials. Additionally, I may be mistaken, but based on the following:

We do not supply the authorization code we get fro, authorizing our Chat app to the API endpoints. We apply the authorization code to the request body parameters when requesting and access_token from

Then supply that access token to endpoints like //

To recap, you retrieve the authorization code as described here:

Then you supply that code as explained in Step 2: Request access token.

Looking forward to your response.